Should we also acknowledge regulated industries/law, e.g.
causing a negative impact to the confidentiality, integrity, or
availability of an impacted component or components, and/or violating a
given security policy/law/regulation that applies to the affected entity.
On Mon, Sep 12, 2022 at 1:55
potentially exploitable. It also helps
> protect from the “changes with time” issue since what is accepted to be
> exploitable or potentially so necessarily changes with time.
>
>
>
> Thanks
>
>
>
> *From:* Kurt Seifried
> *Sent:* Thursday, July 14, 2022 2:
Seifried
Sent: Thursday, July 14, 2022 2:45 PM
To: Hatfield, Arthur
Cc: SJ Jazz ; Rob Wissmann ;
Alec J Summers ; CWE Research Discussion
Subject: Re: CWE/CAPEC Definitions
There’s also changes in standards, expectations and so on. 20 years ago 2FA was
exotic, now it’s common place and in 20
: Kurt Seifried
Sent: Thursday, July 14, 2022 2:45 PM
To: Hatfield, Arthur
Cc: Jarzombek, Joe ; Wissmann, Rob
; Alec J Summers ; CWE Research
Discussion
Subject: Re: CWE/CAPEC Definitions
There’s also changes in standards, expectations and so on. 20 years ago 2FA was
exotic, now it’s common place
> On Jul 14, 2022, at 1:47 PM, SJ Jazz wrote:
>
> Vulnerability = weakeness + exploit
> Or more specifically,
> Vulnerability = weakeness(es) + known exploit
I believe the first one is the right one. that is, vulnerabilities = weakness +
exploit exists.
If vulnerabilities are only known
: *SJ Jazz
> *Date: *Thursday, July 14, 2022 at 1:13 PM
> *To: *Rob Wissmann
> *Cc: *Alec J Summers , CWE Research Discussion <
> cwe-research-list@mitre.org>
> *Subject: *[EXTERNAL] Re: CWE/CAPEC Definitions
>
> Actually, being listed as a CVE is not the criteria for be
Date: Thursday, July 14, 2022 at 1:13 PM
To: Rob Wissmann
Cc: Alec J Summers , CWE Research Discussion
Subject: [EXTERNAL] Re: CWE/CAPEC Definitions
Actually, being listed as a CVE is not the criteria for being a vulnerability.
Only vulnerabilities catalogued as CVEs are 'known vulnerabilities
The Home Depot
From: Rob Wissmann
Date: Thursday, July 14, 2022 at 1:16 PM
To: SJ Jazz
Cc: Alec J Summers , CWE Research Discussion
Subject: [EXTERNAL] RE: CWE/CAPEC Definitions
Putting “known” in there still works. It doesn’t say publicly known, and known
ability to be exploited for negative
E Research Discussion
Subject: Re: CWE/CAPEC Definitions
Actually, being listed as a CVE is not the criteria for being a vulnerability.
Only vulnerabilities catalogued as CVEs are 'known vulnerabilities'. There are
actual instances of uncatalogued (unpublished) vulnerabilities; some are in
p
Actually, being listed as a CVE is not the criteria for being a
vulnerability. Only vulnerabilities catalogued as CVEs are 'known
vulnerabilities'. There are actual instances of uncatalogued (unpublished)
vulnerabilities; some are in proprietary or intelligence organization's
libraries, and some
ursday, July 14, 2022 7:58 AM
To: CWE Research Discussion
Subject: [External] - RE: CWE/CAPEC Definitions
CAUTION: External Email
Dear all,
dropping the mentioned part of the sentence is a very good idea.
Apart from that I am fine with all three definitions.
Best wishes
Andreas
Dr. re
Regarding the circular definitions, it has always struck me that weaknesses are
flaws that may or may not be exploitable to cause negative impact whereas
vulnerabilities are flaws known to be exploitable to cause negative impact.
A rewrite of the definitions to match this concept:
Hello,
I think the below red part should be removed because:
1. It removes dependency of definition of Vulnerability on the next definition
"Weakness", do we really want one definition to be dependent on another
definition? this creates confusion because now in order to understand
: Thursday, July 14, 2022 at 11:19 AM
To: Alec J Summers , CWE Research Discussion
Subject: RE: CWE/CAPEC Definitions
CAUTION: External email. Do not click links or open attachments unless you
recognize the sender and know the content is safe.
All,
One issue I
A short alternative definition for weakness: defect or characteristic that
could enable undesirable behaviour
...Joe
On Thu, Jul 14, 2022, 11:18 Paul Wooderson
wrote:
> All,
>
>
>
> One issue I see with these definitions of vulnerability and weakness is
> that they are circular, i.e. each
All,
One issue I see with these definitions of vulnerability and weakness is that
they are circular, i.e. each term uses the other in its definition. So when
each term is replaced with its definition in the other term's definition, it is
impossible to resolve what is intended. I have tried
I also agree with dropping the “in a range of….” piece. It just further
muddies the water and adds no value.
- Paul
From: Schweiger, Andreas Dr.
Sent: Thursday, July 14, 2022 7:58 AM
To: CWE Research Discussion
Subject: RE: CWE/CAPEC Definitions
Dear all,
dropping the mentioned part
mes Pangburn [mailto:jpangb...@cadence.com]
Sent: Wednesday, July 13, 2022 10:49 PM
To: Joe Baum ; Kurt Seifried
Cc: SJ Jazz ; Alec J Summers ; CWE
Research Discussion
Subject: RE: CWE/CAPEC Definitions
I also vote to drop “in a range of …”
Best regards,
Jim Pangburn
Director, IPG Operations
Fr
I also vote to drop “in a range of …”
Best regards,
Jim Pangburn
Director, IPG Operations
From: Joe Baum
Sent: Wednesday, July 13, 2022 1:21 PM
To: Kurt Seifried
Cc: SJ Jazz ; Alec J Summers ; CWE
Research Discussion
Subject: Re: CWE/CAPEC Definitions
EXTERNAL MAIL
Or for that matter non
Or for that matter non-vendors. Software composition, as an example, Open
Source, etc.
Best Regards,
Joe Baum
Director, Threat Management Group
On Wed, Jul 13, 2022 at 3:18 PM Kurt Seifried wrote:
> Also, it excludes services. So yeah, I vote drop the " in a range of
> products made by
Also, it excludes services. So yeah, I vote drop the " in a range of
products made by different vendors"
On Wed, Jul 13, 2022 at 2:12 PM SJ Jazz wrote:
> I still recommend deleting at the end of the definition of weakness
> "... in a range of products made by different vendors.
>
> It adds no
I still recommend deleting at the end of the definition of weakness "... in
a range of products made by different vendors.
It adds no value, and actually unintentionally limits applicability by
implying weaknesses only apply to products made by vendors.
Regards,
Joe
On Wed, Jul 13, 2022, 12:08
22 matches
Mail list logo
